29 lines
2.2 KiB
Plaintext
29 lines
2.2 KiB
Plaintext
|
1.Co to CVD
|
|||
|
|
CVD (ClamAV Virus Database) to podpisany cyfrowo 'tarball' zawierający jedną lub więcej baz danych
|
|||
|
|
|
|||
|
|
2. Dodawanie sygnatur
|
|||
|
|
a) HTML
|
|||
|
|
ClamAV contains HTML normalization code which makes it easier to write signatures for HTML data that might differ based on white space, capitalization, and other insignificant differences. Running sigtool --html-normalise on a HTML file can be used to see what a file’s contents will look like after normalization. This command should generate the following files:
|
|||
|
|
|
|||
|
|
nocomment.html - znormalizowany, lower-case, wyrzucone komentarze i white-spaces
|
|||
|
|
notags.html - jak powyżej, ale tagi html są wyrzucone
|
|||
|
|
javascript - any script contents are normalized and the results appended to this file
|
|||
|
|
|
|||
|
|
The code automatically decodes JScript.encode parts and char ref’s (e.g. f). To create a successful signature for the input file type, the rule must match on the contents of one of the created files. Signatures matching on normalized HTML should have a target type of 3. For reference, see Target Types.
|
|||
|
|
|
|||
|
|
|
|||
|
|
b) Pliki tekstowe
|
|||
|
|
Similarly to HTML all ASCII text files get normalized (converted to lower-case, all superfluous white space and control characters removed, etc.) before scanning. Running sigtool --ascii-normalise on a text file will result in a normalized version being written to the file named ‘normalised_text’. Rules matching on normalized ASCII text should have a target type of 7. For reference, see Target Types.
|
|||
|
|
|
|||
|
|
|
|||
|
|
c) Skompresowane pliki wykonywalne (UPX, FSG, Petite, ...)
|
|||
|
|
ClamAV będzie próbował automatycznie wypakować plik. To inspect the executable that results from ClamAV’s unpacking process, run clamscan with --debug --leave-temps. Example output for a FSG compressed file:
|
|||
|
|
|
|||
|
|
LibClamAV debug: UPX/FSG/MEW: empty section found - assuming compression
|
|||
|
|
LibClamAV debug: FSG: found old EP @119e0
|
|||
|
|
LibClamAV debug: FSG: Unpacked and rebuilt executable saved in
|
|||
|
|
/tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c
|
|||
|
|
|
|||
|
|
W powyższym przykładie /tmp/clamav-f592b20f9329ac1c91f0e12137bcce6c jest wypakowanym plikiem wykonywalnym
|
|||
|
|
|
|||
|
|
3. Nazwy plików w archiwum: clamav-<hash> (jak w przykładzie z 2c)
|